Total
1692 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13957 | 1 Abb | 3 Aspect Enterprise, Matrix Series, Nexus Series | 2025-07-13 | 7.6 High |
| SSRF Server Side Request Forgery vulnerabilities exist in ASPECT if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*. | ||||
| CVE-2024-27775 | 1 Sysaid | 1 Sysaid | 2025-07-13 | 7.2 High |
| SysAid before version 23.2.14 b18 - CWE-918: Server-Side Request Forgery (SSRF) may allow exposing the local OS user's NTLMv2 hash | ||||
| CVE-2024-6424 | 1 Mesbook | 1 Mesbook | 2025-07-13 | 9.3 Critical |
| External server-side request vulnerability in MESbook 20221021.03 version, which could allow a remote, unauthenticated attacker to exploit the endpoint "/api/Proxy/Post?userName=&password=&uri=<FILE|INTERNAL URL|IP/HOST" or "/api/Proxy/Get?userName=&password=&uri=<ARCHIVO|URL INTERNA|IP/HOST" to read the source code of web files, read internal files or access network resources. | ||||
| CVE-2025-23221 | 1 Dahlia | 1 Fedify | 2025-07-13 | 5.4 Medium |
| Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechanisms, and forcing the victim’s server into an infinite loop causing Denial of Service. Moreover, this issue can also be maneuvered into performing a Blind SSRF attack. This vulnerability is fixed in 1.0.14, 1.1.11, 1.2.11, and 1.3.4. | ||||
| CVE-2024-13856 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 6.4 Medium |
| The Your Friendly Drag and Drop Page Builder — Make Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.10 via the make_builder_ajax_subscribe() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-13029 | 1 Antabot | 1 White-jotter | 2025-07-12 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in Antabot White-Jotter up to 0.2.2. Affected is an unknown function of the file /admin/content/book of the component Edit Book Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-33592 | 2 Softlab, Wordpress | 2 Radio Player, Wordpress | 2025-07-12 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73. | ||||
| CVE-2024-34361 | 1 Pi-hole | 1 Pi-hole | 2025-07-12 | 8.6 High |
| Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue. | ||||
| CVE-2025-30914 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in XpeedStudio Metform allows Server Side Request Forgery. This issue affects Metform: from n/a through 3.9.2. | ||||
| CVE-2024-32964 | 1 Lobehub | 1 Lobe Chat | 2025-07-12 | 9 Critical |
| Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause Server-Side Request Forgery without logging in, attack intranet services, and leak sensitive information. | ||||
| CVE-2025-1662 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 6.4 Medium |
| The URL Media Uploader plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.0 via the 'url_media_uploader_url_upload' action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-8099 | 2 Duckdb, Vanna-ai | 2 Duckdb, Vanna | 2025-07-12 | N/A |
| A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of vanna-ai/vanna when using DuckDB as the database. An attacker can exploit this vulnerability by submitting crafted SQL queries that leverage DuckDB's default features, such as `read_csv`, `read_csv_auto`, `read_text`, and `read_blob`, to make unauthorized requests to internal or external resources. This can lead to unauthorized access to sensitive data, internal systems, and potentially further attacks. | ||||
| CVE-2024-56275 | 2 Envato, Wordpress | 2 Envato Elements, Wordpress | 2025-07-12 | 4.1 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14. | ||||
| CVE-2024-13879 | 2 Wordpress, Xwp | 2 Wordpress, Stream | 2025-07-12 | 5.5 Medium |
| The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. | ||||
| CVE-2024-45317 | 1 Sonicwall | 1 Sma1000 | 2025-07-12 | 7.5 High |
| A Server-Side Request Forgery (SSRF) vulnerability in SMA1000 appliance firmware versions 12.4.3-02676 and earlier allows a remote, unauthenticated attacker to cause the SMA1000 server-side application to make requests to an unintended IP address. | ||||
| CVE-2024-11836 | 1 Plextrac | 1 Plextrac | 2025-07-12 | N/A |
| Server-Side Request Forgery (SSRF) vulnerability in PlexTrac allowing requests to internal system resources.This issue affects PlexTrac: from 1.61.3 before 2.8.1. | ||||
| CVE-2025-30976 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in wpdive Nexa Blocks allows Server Side Request Forgery. This issue affects Nexa Blocks: from n/a through 1.1.0. | ||||
| CVE-2024-35172 | 2 Shortpixel, Wordpress | 2 Shortpixel Adaptive Images, Wordpress | 2025-07-12 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.3. | ||||
| CVE-2024-13857 | 1 Wordpress | 1 Wordpress | 2025-07-12 | 5.5 Medium |
| The WPGet API – Connect to any external REST API plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. | ||||
| CVE-2024-30453 | 2 Brave, Wordpress | 2 Brave Popup Builder, Wordpress | 2025-07-12 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5. | ||||